CareFirst breached again, notifying 6,800 members of phishing attack

The Maryland insurer is already involved in a lawsuit stemming from a 2014 breach of about 1.1 million members.
By Jessica Davis
01:56 PM
Share
CareFirst breach Maryland

CareFirst BlueCross BlueShield offices in Washington, D.C. Credit: Google Maps

A phishing attack on CareFirst BlueCross BlueShield has potentially breached the personal data of 6,800 patients, the Baltimore-based insurer announced on Friday.

On March 12, CareFirst officials discovered an employee had fallen victim to a phishing email, which compromised their account. While the hacker appears to have only used the account to send spam messages to an email account, officials couldn’t rule out unauthorized access by the hacker.

[Also: Supreme Court rejects CareFirst bid to review breach case]

The email account contained personal information including names and member identification numbers, dates of birth. This type of data can be used for medical fraud. For eight members, Social Security numbers were included. No financial or medical information was compromised.

CareFirst hired a third-party security firm to help with its investigation, which concluded no other suspicious activity was detected on its system. All members involved in the breach are being offered free credit monitoring and identity theft protection for two years.

[Also: The biggest healthcare data breaches of 2018 (so far)]

The breach comes about three years after announcing the insurer was hit by a cyberattack that breached the data of about 1 million members. Those victims of the attack, despite several appeals by CareFirst to have the case dismissed, are currently suing.

An outside party detected that breach, and it took officials nearly a year to notify victims that hackers stole their personal information. CareFirst has improved its security response, as it took less than a month to notify members of this recent breach.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com